vBulletin 3.0.13
This release of vBulletin addresses a minor cross-site scripting flaw discovered by imei addmimistrator, fixes numerous bugs and adds a new feature.
New Feature: Enhanced File Diagnostics
In previous versions of vBulletin, the 'Suspect File Versions' system (AdminCP > Maintenance > Diagnostics > Suspect File Versions) performed a check on each file found to ensure that its stated version matched the currently-installed version of vBulletin. Therefore, a 3.0.11 version of forumdisplay.php would be flagged for attention on a board running 3.0.12.
The new and improved suspect file versions system extends the file checking functionality in the following ways:
Updating your vBulletin to combat the XSS flaw:
Versions of vBulletin 3.0 from 3.0.0 Beta 3 to 3.0.12 are affected by the XSS flaw so we recommend that customers upgrade or patch their installations.
For the vBulletin 3.0.x branch, the problem can be resolved in one of two ways.
This release of vBulletin addresses a minor cross-site scripting flaw discovered by imei addmimistrator, fixes numerous bugs and adds a new feature.
New Feature: Enhanced File Diagnostics
In previous versions of vBulletin, the 'Suspect File Versions' system (AdminCP > Maintenance > Diagnostics > Suspect File Versions) performed a check on each file found to ensure that its stated version matched the currently-installed version of vBulletin. Therefore, a 3.0.11 version of forumdisplay.php would be flagged for attention on a board running 3.0.12.
The new and improved suspect file versions system extends the file checking functionality in the following ways:
- File version mismatch:
The system still checks for mismatched versions - File not found:
The system will identify any missing files - File not recognised:
It will also flag any script files in vBulletin directories that are not part of vBulletin - Unexpected file contents:
The final and most important check is that on download, MD5 sums are generated for every script file in the downloaded package. The system will now compare the original MD5 sum of each file with its current MD5 sum, so it is now possible to tell instantly if any files have been modified from their original state, making it very simple to see if hacks have been installed or if files have not been uploaded correctly.
Updating your vBulletin to combat the XSS flaw:
Versions of vBulletin 3.0 from 3.0.0 Beta 3 to 3.0.12 are affected by the XSS flaw so we recommend that customers upgrade or patch their installations.
For the vBulletin 3.0.x branch, the problem can be resolved in one of two ways.
- Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.0.13 package from the vBulletin Members' Area and following the regular upgrade instructions.
- Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files.
Comment